DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Recent NYS audits of K-12 school districts’ infosecurity

Posted on July 27, 2023 by Dissent

A toot by Doug Levin yesterday reminded me that I haven’t posted NYS Comptroller audits of school districts in a while.  So here are three to get caught up:

Jericho Union Free School District – Acceptable Use Policy (2022M-194)

Issued Date: July 21, 2023

Audit Objective

Determine whether Jericho Union Free School District (District) officials helped safeguard personal, private and sensitive information (PPSI) by developing controls and communicating an acceptable use policy (AUP) to business office staff.

Key Findings

District officials did not help safeguard PPSI by developing and communicating a comprehensive AUP to business office staff. As a result, PPSI related to District employees and finances could be exposed because some websites may be malicious or contain code to compromise a user’s computer or prompt the user to perform activities that may result in malware infection or PPSI exposure. In addition to sensitive information technology (IT) weaknesses that were communicated confidentially to officials, we found:

  • All nine business office employees, including the Assistant Superintendent for Business Affairs (ASB), were not aware that they were expected to follow the Computer Network and Internet Student Acceptable Use policy or what the District considers to be appropriate and inappropriate Internet use.
  • District officials did not periodically review web histories to determine whether any employee’s web browsing was inappropriate.

Key Recommendations

  • Ensure the AUP is updated, or administrative regulations are developed, to provide guidance for business office staff that defines acceptable Internet use and browsing.
  • Ensure business office staff who utilize computers are adequately informed of the regulations.

District officials disagreed with certain aspects of our findings and recommendations. Appendix B includes our comments on issues raised in the District’s response letter.

Read the full report (pdf)

West Hempstead Union Free School District – Nonstudent Network User Account Controls (2023M-9)

Issued Date: July 14, 2023

Audit Objective

Determine whether West Hempstead Union Free School District (District) officials established adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss.

Key Findings

District officials did not establish adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to officials, we found that the Board of Education (Board) and District officials did not:

  • Develop and adopt policies and procedures addressing key network user access controls, such as user account management, password security and user account controls.
  • Disable 60 of the District’s enabled nonstudent network accounts (11 percent) that were not needed. Twenty-two of these accounts (37 percent) have not been used in more than five years, with the oldest being last used more than 10 years ago. These accounts include:
    • 53 former employee network accounts, and
    • 7 network service accounts used for hardware devices and email aliases.

Key Recommendations

  • Adopt comprehensive network user account policies and procedures addressing securing user accounts with passwords and adding, disabling and changing user access.
  • Periodically review user access for all nonstudent network user accounts and disable user accounts when access is no longer needed.

District officials disagreed with certain aspects of our findings and recommendations, but indicated they have initiated or plan to initiate corrective action. Appendix B includes our comments on issues raised in the District’s response letter.

Read the full report (pdf).

Sewanhaka Central High School District – Business Office Information Technology Systems (2023M-12)

Issued Date: June 30, 2023

Audit Objective

Determine whether Sewanhaka Central High School District (District) officials developed an information technology (IT) contingency plan to help secure and protect business office IT systems in the event of a disruption or disaster.

Key Findings

District officials did not develop an IT contingency plan to help them adequately secure and protect business office IT systems in the event of a disruption or disaster.

Without a comprehensive written IT contingency plan in place that is properly distributed to all business office staff and periodically tested for efficacy, District officials have less assurance that employees and other responsible parties will react quickly and effectively to maintain business continuity. As a result, important financial and other business office data could be lost or suffer a disruption to operations.

Additional sensitive IT control weaknesses were communicated confidentially to District officials.

Key Recommendations

  • Develop, adopt and test a written IT contingency plan and communicate it to appropriate officials and employees.

District officials agreed with our findings and have initiated or plan to initiate corrective action.

Read the full report (pdf).

Category: Commentaries and AnalysesEducation Sector

Post navigation

← Leaking Someone’s Personal Data Will Cost You Up to $2 Million in Pakistan
CardioComm, a provider of ECG monitoring devices, confirms cyberattack downed its services →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach
  • Industry Letter – June 23, 2025: Impact to Financial Sector of Ongoing Global Conflicts
  • MNGI Digestive Health settles class action lawsuit stemming from BlackCat attack
  • Four REvil ransomware members released after time served on carding charges
  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.